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Executive  Summary 


There  are  many  secret  sharing  schemes  and  variations  available  to  hide  and  reconstruct  the 
given  secret.  Shamir’s  Secret  Sharing  Scheme,  making  use  of  linear  Lagrange  interpolation 
on  the  dealer-generated  polynomial,  was  used  to  reconstruct  the  secret  from  the  stipulated 
threshold  number  of  participants’  shares.  Such  a  scheme  had  been  widely  analysed  by 
mathematicians  and  computer  scientists  for  potential  weaknesses  in  the  reconstruction  of 
the  secret  by  an  external  eavesdropper. 

The  objective  of  this  thesis  report  is  thus  to  present  a  variation  of  Shamir’s  threshold  secret 
sharing  scheme  by  manipulating  the  dealer-generated  polynomial  into  a  simplified  version 
such  that  any  eavesdropper  can  reconstruct  the  secret  by  gaining  two  public  shares,  instead 
of  the  stipulated  threshold  level.  The  envisaged  improvements  would  then  be  evaluated  for 
any  impact  on  side-channel  effects  on  the  Advanced  Encryption  Standards. 

Existing  and  famous  mathematical  conjectures  (including  Pillai’s  conjecture,  the  Fermat- 
Catalan  conjecture,  and  Hall’s  conjecture)  were  built  upon  to  seek  a  potential  weakness  in 
the  security  of  the  current  secret  sharing  scheme.  Essentially,  the  analysis  aimed  to  reduce 
the  order  of  difficulty  in  reconstructing  the  secret.  Assuming  that  the  dealer-generated 
polynomial  is  monic,  it  is  then  deconstructed  by  applying  a  composite  linear  function  in 
which  two  additional  variables  are  introduced. 

In  general,  assuming  that  the  original  form  of  the  dealer-generated  polynomial  is  f(x)  — 

ao  +  a\x  +  ci2X 2  -\ - b  cik-\xk~l,  by  composing  it  with  the  linear  function  g(x)  —  x  +  a, 

the  eventual  form  of  the  dealer-generated  polynomial  can  be  manipulated  to  be  in  the  form 
of  f(x)  —  (jc  +  a)k  —  bo,  where  both  a  and  bo  are  the  two  newly  introduced  variables.  The 
challenge  then  is  reduced  to  finding  the  values  of  both  a  and  b 0. 

It  was  postulated  that  an  eavesdropper  would  be  able  to  recover  the  secret  by  simply  obtain¬ 
ing  two  public  shares,  namely  (.ri,yi)  and  (xj ,  V2 ) ,  from  the  multitude  of  available  public 
shares,  and  this  could  be  achieved  by  determining  the  numerical  boundaries  for  the  variable 
a.  Specifically,  all  encompassing  cases,  without  loss  of  generality,  were  considered  to  en¬ 
sure  that  all  possibilities  were  not  neglected.  The  start  state  would  be  to  take  the  difference 
between  the  two  y- values  that  were  easily  obtained.  From  there  on,  it  is  just  a  matter  of 


manipulating  the  inequalities  to  screen  out  the  boundaries  of  a.  Once  the  boundaries  of  a 
were  found,  then  it  would  be  trivial  to  try  out  the  available  choices  for  a,  and  subsequently 
bo,  and  eventually  the  secret. 

While  this  methodology  does  not  allow  for  the  absolute  reconstruction  of  the  secret  as  com¬ 
pared  to  Lagrange  interpolation,  it  presents  an  alternate  methodology  for  an  eavesdropper 
to  retrieve  the  secret  using  shares  that  are  significantly  less  than  the  required  threshold 
number.  The  boundaries  reduced  the  possibilities  of  the  secret  value  from  a  near-infinite 
number  to  a  manageable  cardinality  size  that  could  be  derived  through  exhaustive  means. 
The  crux  is  that  as  long  as  two  shares  are  gathered  together,  the  value  of  a  can  be  derived 
easily  through  exhaustive  means.  Once  the  value  of  a  is  found,  then  it  remains  trivial  to  de¬ 
termine  bo  through  the  equation  y,-  =  (x,  +  a)k  —  bo,  where  (v,,y,)  are  known  public  shares. 
Subsequently,  the  secret  is  reconstructed  to  be  /( 0). 

Therefore,  it  is  important  for  the  dealer  to  generate  the  polynomial  with  coefficients  that  do 
not  contain  a  common  factor.  From  this  thesis  analysis,  it  was  concluded  that  the  common 
factor,  if  accidentally  found  by  an  eavesdropper  or  outsider,  can  be  used  to  reconstruct  the 
secret  efficiently  by  using  only  two  public  shares. 

Such  findings  pave  the  way  for  an  alternate  methodology  to  recover  the  secret  with  less- 
than-expected  available  information.  It  effectively  reduces  the  order  of  evaluating  the 
monic  polynomial,  since  only  linear  algebra  is  involved.  This  stems  from  the  motivation 
that  linear  equations  are  easier  to  solve,  and  in  cryptography,  linearity  presents  a  less  se¬ 
curity  form  for  any  eavesdropper  to  break  through.  Thus,  for  improved  security,  the  dealer 
should  avoid  generating  the  polynomial  using  successive  binomial  integers  as  its  polyno¬ 
mial  coefficients,  further  amplifying  the  importance  of  the  dealer. 

A  lot  of  research  had  been  focused  on  the  perfect  secret  sharing  scheme.  While  there  are  no 
known  weaknesses  to  Shamir’s  Secret  Sharing  Scheme,  many  researchers  had  focused  on 
the  computational  inefficiency  if  the  generated  polynomial  comprises  large  degrees.  While 
many  improvised  secret  sharing  schemes  have  proven  more  effective  than  Shamir’s  Secret 
Sharing  Scheme,  they  have  only  been  better  under  certain  parameters;  there  is  always  a 
trade-off  with  some  parameter  of  the  scheme. 


xiv 


Acknowledgments 


Without  a  doubt,  I  am  heavily  indebted  to  Dr.  Pante  Stanica,  professor  and  associate  chair 
of  research  in  the  Department  of  Applied  Mathematics,  Naval  Postgraduate  School,  who 
graciously  agreed  to  be  my  thesis  advisor  when  I  first  approached  him.  Throughout  the 
period  of  my  thesis  research.  Dr.  Stanica  has  shown  the  utmost  patience  and  provided 
invaluable  guidance  to  me.  I  shall  never  forget  the  advice  that  Dr.  Stanica  first  gave  to  me, 
urging  me  that  while  generating  a  credible  thesis  is  of  utmost  priority  for  the  completion  of 
the  master’s  course,  it  is  equally  important  to  continue  to  leam  something  new  along  my 
academic  journey. 

I  would  also  like  to  thank  Dr.  David  Canright  for  pointing  me  in  the  right  direction  on 
related  cryptography  topics.  His  expertise  in  Advanced  Encryption  Standard  allowed  me 
to  reach  a  deeper  level  of  understanding  for  the  second  part  of  my  thesis.  Special  mention 
goes  to  Associate  Professor  Ralucca  Gera,  who  imparted  me  with  the  domain  knowledge 
in  discrete  mathematics,  and  graph/network  theory.  Most  importantly,  she  introduced  me 
to  the  LaTeX  format  for  writing  academic  research  papers,  and  although  I  was  initially 
apprehensive  to  venture  it,  the  ease  with  which  I  was  able  to  format  my  thesis  made  it  well 
worth  the  effort. 

The  magnitude  of  completing  this  thesis  would  not  have  been  possible  without  the  selfless 
support  and  sacrifice  of  my  wife,  Sharon,  who  took  the  time  to  nurture  our  two  children, 
Rianne  and  Rayden,  during  this  one-year  stay  in  the  United  States,  while  at  the  same  time, 
allowing  me  to  concentrate  on  pursuing  my  academic  achievements.  Their  youthful  and 
chirpy  presence  in  the  family  served  to  lift  the  stressful  mood  off  my  shoulders  as  I  contin¬ 
ued  on  my  studies  and  thesis  inquest,  often  into  the  wee  hours  of  the  day. 

I  am  also  grateful  for  the  support  rendered  to  me  by  my  fellow  aspiring  mathematicians, 
Scott  Wamke,  Karoline  Hood,  Ryan  Miller,  and  Zack  Lukens,  with  whom  I  had  the  privi¬ 
lege  to  not  only  share  an  office,  but  also  to  spar  mathematically  with.  The  good  times  that 
we  had  during  Thanksgiving  and  various  other  festive  activities  will  no  doubt  be  lasting 
wonderful  memories. 

Last  but  not  least,  I  would  like  to  give  a  special  shout-out  to  Associate  Professor  Bard 


xv 


Mansager,  my  academic  advisor  in  the  Department  of  Applied  Mathematics.  Bard  was  the 
one  who  reassured  me  that  the  Math  Department  will  take  good  care  of  me  during  my  time 
in  NPS,  and  I  am  indeed  honored  to  be  part  of  this  wonderful  family  during  my  short  stint 
here. 

Looking  back,  this  one  year  has  passed  by  in  the  blink  of  an  eye.  The  time  spent  here  in 
Monterey  and  NPS  had  been  nothing  short  of  mesmerizing  and  fantastic.  For  friends  and 
colleagues  who  I  am  unable  to  thank  here,  I  offer  my  sincerest  apologies,  but  never¬ 
theless  would  like  to  thank  them  for  offering  me  advice,  guidance,  and  domain  expertise 
during  this  arduous  journey. 


CHAPTER  1: 

Introduction  to  Secret  Sharing 


Imagine  you  have  been  given  the  task  of  finding  out  the  average  salary  of  a  room  full  of 
N  highly  successful  individuals.  The  obvious  way  is  to  sum  up  all  the  individuals’  salaries 
and  average  the  summation  over  the  total  number  of  people  in  the  room.  The  problem  is 
that  none  of  the  individuals  want  to  disclose  their  monthly  income  because  such  figures  are 
highly  confidential  and  sensitive. 

Here  is  a  viable  solution.  Have  Person  A  come  up  with  a  random  number,  say  [a],  and 
Person  A  is  to  add  his  or  her  own  salary  to  [a].  This  new  value  is  to  be  passed  on  to  Person 
B ,  who  will  then  add  his  or  her  own  salary  to  the  new  value  received  from  Person  A.  Now, 
Person  B  does  not  know  how  much  Person  A’s  salary  is,  since  he  or  she  does  not  know 
what  random  number  [a]  Person  A  has  chosen. 

The  process  repeats  itself  until  the  last  person  in  the  room.  Person  N,  receives  the  new 
value  from  the  second-to-last  person,  Person  N  —  1.  Person  N  continues  to  add  on  his 
or  her  salary,  and  the  final  value,  say  [/3],  is  then  passed  back  to  Person  A.  At  this  stage, 
Person  A  simply  needs  to  deduct  [a]  from  [/3]  (since  only  he  or  she  knows  what  [a]  is),  and 
average  this  sub-total  over  the  number  of  people  in  the  room,  N.  In  this  way,  the  average 
salary  in  the  room  can  be  obtained,  without  any  person  revealing  his  or  her  income. 

The  value  of  [a]  is  critical  in  this  instance,  as  it  provides  a  gateway  to  gather  information 
from  multiple  sources  without  each  source  revealing  unwanted  information  that  should 
otherwise  remain  secret.  For  example,  if  any  person  in  the  room  other  than  Person  A  would 
know  the  value  of  [a],  then  he  or  she  could  find  out  Person  A’s  income  by  simply  providing 
the  information  to  Person  B  and  having  Person  B  perform  the  arithmetic. 

Consider  another  secret  sharing  example.  A  bank  vault  in  a  highly  secured  bank  requires 
three  keys  to  open.  The  key  holders  are  already  designated  to  be  two  of  the  bank’s  top  hier¬ 
archy.  But  strict  financial  regulations  state  that  no  one  person  should  be  in  total  possession 
of  the  three  keys,  for  fear  of  corruption.  The  logical  partition  would  be  to  split  the  keys 
between  these  two  personnel.  With  both  needing  equal  authority  over  the  safekeeping  of 


1 


the  bank  vault,  this  constitutes  a  conundrum. 


The  two-man  rule  states  that  all  actions  and  access  requires  the  presence  of  two  authorized 
people  at  all  times.  In  the  bank  vault  secret  sharing  example,  the  logical  way  to  follow  this 
rule  is  to  let  Person  A  hold  on  to  Key  1  and  Key  2,  and  Person  B  hold  on  to  Key  2  and  Key 
3.  In  this  way,  no  single  person  can  open  the  bank  vault  (since  the  vault  needs  three  keys), 
and  both  authorized  persons  (given  equal  authority  by  holding  two  keys  each)  need  to  be 
present  in  order  to  open  the  vault. 

The  methodology  of  sharing  secrets  (or,  splitting  secrets)  was  independently  invented  by 
Adi  Shamir  [1]  and  George  Blakley  [2]  in  1979.  Being  one  of  the  most  well-known  and 
dominant  secret  sharing  schemes,  in  this  thesis,  Shamir’s  Secret  Sharing  Scheme  [1]  is 
mainly  analysed. 

1.1  Shamir’s  Secret  Sharing  Scheme 

Shamir’s  Secret  Sharing  Scheme  comprises  the  general  distribution  of  shares  to  various 
77  participants,  where  each  participant  is  holding  on  to  a  unique  share.  In  order  to  re¬ 
construct  the  secret,  some  or  all  of  the  parts  are  needed.  Since  gathering  all  the  participants 
to  reconstruct  the  secret  may  be  impractical,  the  threshold  scheme  is  thus  formulated  where 
any  k  parts  will  be  sufficient  to  re-construct  the  secret.  This  is  also  known  as  the  {k.n\ 
threshold  scheme.  If  k  =  n,  then  all  participants  are  required  in  order  to  reveal  the  secret. 

In  general,  the  secret  S  is  divided  into  n  pieces  of  data  Si ,  S2,  ■  ■  ■ ,  Sn,  in  such  a  way  that 

•  k  or  more  S,  shares  is  enough  to  piece  together  the  secret. 

•  k  —  1  or  fewer  S,  shares  is  not  enough  to  determine  the  secret  (other  than  trying  all 
possibilities). 

1.1.1  Secret  Sharing  Example  using  a  Quadratic  Polynomial 

Assume  that  the  secret  value  to  be  kept  is  4, 321  (i.e.,  S  =  4, 321),  and  the  threshold  scheme 
is  to  be  set  as  {3,7}  (i.e.,  any  subset  of  three  shares  out  of  the  possible  seven  shares  is 
sufficient  to  construct  the  secret).  Randomly,  (k—  1)  integers  are  picked  to  construct  the 
(k—  \)th  degree  polynomial: 

a\  =  69,^2  =  213. 
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The  polynomial  to  produce  the  required  number  of  secret  shares  is  thus  constructed  to  be 


f(x)  =  4321  +  69x  +  213x2.  (1.1) 

Since  there  are  seven  shares,  seven  points  are  then  constructed  from  Eqn.  (1.1).  These 
seven  points  are  as  follows: 


Table  1.1:  Seven  Points  Constructed  from  a  Quadratic  Polynomial 


X 

y  =  /M 

1 

4603 

2 

5311 

3 

6445 

4 

8005 

5 

9991 

6 

12403 

7 

15241 

In  order  to  reconstruct  the  secret,  any  three  shares  are  sufficient.  Consider  the  following 
three  random  points  Po  =  (xo->’o)  =  (1,4603);  P\  =  (jci,yi)  =  (3,6445);  andP?  =  (x2,y2)  = 
(5,9991).  The  theory  of  Lagrange  polynomial  interpolation  is  used  to  reconstruct  the  se¬ 
cret: 


h(x) 

X  —  X\ 

x  x2 

x  —  3 

x  —  5 

XQ-Xl 

Xq  X2 

1  —  3 

'1-5 

h(x) 

X  —  Xq 

x  x2 

x—  1 

x  —  5 

Xi  -Xo 

Xl  —x2 

“  3-1 

'3-5 

h(x) 

X  —  Xq 

X  —  Xl 

x—  1 

x  —  3 

X2-XQ 

X2-Xl 

"5-1 

'5-3 

\(x-  3)(x-5), 

-^(x-l)(x-5), 

^(x-l)(x-3). 


3 


By  Lagrange  interpolation,  the  polynomial  is  recovered  by  using 


fix)  =  £//(*)  •>’/ 

;=0 

=  4(;c  —  3)(x  —  5)]  x  4603  +  [— ^-(x  —  l)(x  —  5)]  x  6445  +  [^-(x  —  1)(jc  —  3)]  x  9991, 
8  4  8 

=  4321  +  69jc  +  213jc2. 

The  constant  coefficient  (or  ciq)  found  to  be  equal  to  the  initial  secret  value,  and  the  secret 
reconstruction  is  complete. 

1.1.2  Secret  Sharing  Example  Using  a  Cubic  Polynomial 

If  a  minimum  of  four  shares  were  desired  for  the  secret  reconstruction  for  a  {4, 7}  threshold 
scheme,  then  a  cubic  polynomial  will  be  formed.  Consider  the  following  example: 

S  —  36,  a\  =6,ci2  =  4,a3  —  2. 

The  polynomial  is  now  constructed  as 

g(^)  =  36  +  6x  +  4.x2  +  2.v3 . 


The  seven  points  constructed  from  g(x)  are  as  follows: 

Table  1.2:  Seven  Points  Constructed  from  a  Cubic  Polynomial 


X 

y  =  six) 

1 

48 

2 

80 

3 

144 

4 

252 

5 

416 

6 

648 

7 

960 
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Since  four  shares  are  required,  consider  the  following  four  random  points  Pq  =  (.ro,  vq) 
(1,48);  P\  =  (.x+yi)  =  (3, 144);  P2  =  (x2,y2)  =  (5,416);  andP3  =  (jc3,y3)  =  (7,960). 

Lagrange  interpolation  is  applied  and  the  following  is  obtained: 


k(x) 

li(x) 

hix) 

h{x) 


x  —  X\ 

X-X2 

X-X3 

XQ-Xl 

XQ  x2 

'  XQ—X3 

o 

K 

1 

H 

X-X2 

X  X3 

Xl  -X0 

Xl  —x2 

Xl  X3 

o 

K 

1 

H 

X  —  X\ 

X  X3 

X2-X0 

'  X2 -Xl 

' X2  -X3 

X  —  Xo 

X  —  Xl 

X-X2 

X3~XQ 

X3  -  Xl 

X3 -X2 

x  —  3  x  —  5  x  —  7 
1—31—51—7 
x —  1  x  —  5  x  —  1 
3  —  1 '3  —  5 '3^7 
x—  1  x  —  3  x  —  7 
5  —  1’ 5  —  3 '5^-7 
jc—  1  x  —  3  x  —  5 
7  —  1'7  —  3’7  —  5 


-^(^-3)(^-5)(x-7), 

^(x-l)(x-5)(x-7), 

^(jc-l)(.r-3)(jc-5). 


The  polynomial  is  then  recovered  by  using 

g(x)  =  E/(' M'>’' 

(=0 

=  [_^(x_3)(x  — 3)(x-7))]  x  48+ 
[^(x-l)(x-5)(x-7)]  x  144+ 

[^'Tz(x—  l)(x  — 3)(jc  — 7)]  x  416+ 
[^(*-l)(*-3)(*-5)]  x960, 

—  36  +  6x  +  4x2  +  2.r3 . 

The  constant  coefficient  (or  ciq)  is  equal  to  the  initial  secret  value,  and  thus  the  secret  re¬ 
construction  is  complete. 

In  general,  in  order  to  implement  the  {k,  n }  threshold  scheme,  a  polynomial  of  degree  k  —  1 
is  required.  The  degree  k  —  1  polynomial  will  have  k  coefficients  that  can  be  recovered  by 
any  system  with  any  k  equations. 
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1.2  Formal  Definitions  for  Abstract  Algebra 

In  order  to  aid  in  the  analysis  of  Shamir’s  Secret  Sharing  Scheme  (SSSS),  and  to  simplify 
the  polynomials  used  in  the  scheme,  it  is  necessary  to  define  some  basic  theorems  on  linear 
and  abstract  algebra.  Much  of  the  information  can  be  obtained  from  related  mathemati¬ 
cal  texts,  such  as  John  B.  Fraleigh’s  A  First  Course  in  Abstract  Algebra  [3].  The  related 
definitions  from  the  text  are  extracted  and  presented  here. 

1.2.1  Abstract  Algebra  —  Groups,  Rings,  Fields,  Finite  Fields 
Definition  1.2.1.  [3,  pp.  37-39]  A  group  <  G,  *  >  is  a  set  G,  closed  under  a  binary 
operation  *,  such  that  the  following  axioms  are  satisfied: 

:  For  all  a. b. c  e  G.  the  associativity  of  *,  (a*b)  * c  —  a*  (b * c)  holds. 

(+2-  There  is  an  element  e  in  G  such  that  for  all  xGG,  e*x  —  x*e  —  x.  This  is  also  known 
as  the  identity  element  e  for  *. 

:  Corresponding  to  each  a  e  G,  there  is  an  element  a'  e  G  such  that  a* a'  =  a' *a  —  e.  This 
means  that  the  inverse  of  a  exists.  A  group  is  abelian  if  its  binary  operation  is  commutative. 

Definition  1.2.2.  [3,  pp.  167]  The  most  general  algebraic  structure,  ring  </?,+,•  >,  is 
a  set  R  together  with  two  binary  operations  +  and  •,  namely  addition  and  multiplication, 
defined  on  R  such  that  the  following  axioms  are  satisfied: 

<  R,  +  >  is  an  abelian  group. 

<  R,  -  >  is  associative,  or  monoid. 

:  For  all  a.  h,  c  e  R.  the  left  distributive  law  a  ■  ( b  +  c )  =  (a  ■  b)  +  (a  ■  c),  and  the  right 
distributive  law  (a  +  b)  -  c  —  (a  ■  c)  +  (b  ■  c)  hold. 

Definition  1.2.3.  [3,  pp.  172-174]  By  extension,  a  field  <  F,  +,  •  >,  is  a  set  F  with 
two  binary  operations,  namely  addition  and  multiplication,  defined  on  F,  and  satisfies  the 
following  axioms: 

&\\  <  F,+  >  is  an  abelian  group. 

& 2 :  <  F*,  •  >  is  an  abelian  group. 

JF3:  For  all  a,  b.  c  (E  F.  the  distributive  law  a  -  (b  +  c)  —  ( a-b)  +  (a-c )  holds. 

Definition  1.2.4.  [3,  pp.  300]  A  finite  field  is  thus  a  field  with  a  finite  number  of  elements. 
It  is  known,  and  easy  to  show  that,  for  every  prime  p,  and  positive  integer  n,  there  is  exactly 
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one  finite  field  (up  to  isomorphism)  of  order  pn.  [Usually],  this  field  [denoted]  GF(pn )  is 
referred  to  as  the  Galois  field  of  order  pn. 

In  general,  since  the  identity  condition  is  required  to  be  different  for  addition  and  multipli¬ 
cation,  there  must  be  at  least  two  elements  in  every  field.  Some  common  examples  include 
Q,  M,  C,  that  is,  the  rational  numbers,  the  real  numbers,  and  the  complex  numbers,  respec¬ 
tively.  It  must  be  noted  that  Z,  the  integers,  form  only  a  ring.  Thus,  in  this  thesis,  both  the 
integer  ring  Z,  and  the  prime  field  Zp,  where  p  is  a  prime  number,  are  often  referenced;  the 
latter  is  mainly  due  to  the  unique  properties  of  prime  numbers. 

1.3  Research  Objective 

The  purpose  of  this  thesis  is  to  analyse  Shamir’s  Secret  Sharing  Scheme  and  to  identify 
weaknesses  and  potential  improvements,  and  to  build  upon  them  to  discuss  the  side-channel 
effects  on  the  Advanced  Encryption  Standard  (AES). 

The  following  questions  are  asked: 

•  Can  pre-existing  conjectures  and  theorems  be  used  to  improve  and/or  weaken  the 
security  and  simplify  the  computational  complexity  of  the  present  secret  sharing 
scheme? 

•  Can  the  improvements  to  the  current  secret  sharing  scheme  prove  to  be  beneficial  in 
strengthening/weakening  AES  encryption,  such  as  side-channel  analysis? 
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CHAPTER  2: 

Analysis  of  Shamir’s  Secret  Sharing  Scheme 


2.1  The  Importance  of  the  Dealer 

For  a  {k,n}  threshold  scheme,  the  dealer  computes  the  degree  (k  —  1)  polynomial  and 
embeds  the  secret  within  the  polynomial.  The  dealer  also  has  to  provide  the  public  values 
by  computing  the  required  outputs  using  certain  inputs.  The  generated  polynomial  is  of  the 
form 

f(x)  —  ao  +  a\x  +  ci2X2 -\ - \-ak- 2“ (2.1) 

where  ao  is  the  secret  and  a,-,  1  <  i  <  k  —  1,  are  chosen  randomly. 

2.2  Order  of  Difficulty  in  Reconstructing  the  Secret 

In  this  thesis,  it  is  assumed  that  the  Lagrange  interpolation  to  reconstruct  the  secret  is 
done  over  an  integer  ring.  Performing  arithmetic  over  the  integer  field  TLp  will,  however, 
improve  on  the  computational  efficiency,  as  is  discussed  later.  For  example,  if  the  Lagrange 
interpolation  is  done  over  the  residue  field  7Lp  (that  is,  over  modulo  p ),  then  the  order  of 
computational  complexity  is  0(pk). 

2.3  Simplifying  Secret  Sharing  Polynomials  —  Potential 
Weakness? 

The  initial  degree  (fc  —  1)  polynomial  f(x)  is  created  by  the  dealer.  There  is  no  way  to 
retrieve  the  secret  unless  at  least  k  participants  come  together  to  reconstruct  the  secret 
using  Lagrange  interpolation.  A  viable  idea  to  improve  the  simplicity  of  the  polynomial  is 
to  introduce  a  composition  of  another  function  that  may  be  easier  to  dissect  with  existing 
mathematical  tools. 

Consider  the  following  manipulation  of  the  polynomial  functions: 

Let  f(x)  —  h(x)  og(x),  where 

f(x)  is  the  degree  (£  —  1)  polynomial  generated  by  the  dealer; 
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h(x)  is  the  desired  final  simplified  polynomial  of  the  form  (x  —  a)k  —  bo',  and 
g(x)  is  a  linear  function  to  be  applied  to  h{x)  to  form  the  original  polynomial. 

Consider  first  the  composite  function  g(jc)  =  x+  a,  and  the  following  is  obtained.  First, 
it  is  desired  to  simplify  f(x)  to  be  in  the  form  of  f(x)  —  xk  —  bo,  for  some  coefficients  in 
the  dealer-generated  polynomial.  Hence,  f(x)  =  h(g(x ))  =  h(x  +  a)  =  xk  —  bo-  Therefore, 
h(x)  =  f(x—  a),  and  so, 


h(x)  =  f(x  —  a)  =  {x  —  a)k  —  bo , 

xk+  +  (^\xk-2(-a)2  4 - h(-a)A 


-bo, 


(2.2) 


k- 1 

xk  +  ^  axk~l  +  (-a) 
i=\ 


bo, 


where  c,  =  (*)  (— a)'. 

It  is  clear  that  the  values  of  c,  correspond  to  the  coefficients  of  the  original  dealer-generated 
polynomial. 


If  the  value  x  —  0  is  applied  into  the  final  form  of  Eqn.  (2.2),  the  output  will  correspond 
to  the  hidden  secret,  since  it  is  known  that  the  secret  is  the  value  of  ciq  in  the  original 
polynomial  generated  by  the  dealer  in  Eqn.  (2.1). 


Therefore,  from  Eqns.  (2.1)  and  (2.2),  the  secret  can  be  derived  as  the  coefficient  without 
any  v  terms: 

Secret  =  ciq  —  (  —  cc)k  —  bo-  (2.3) 


If  the  values  of  a  and  bo  are  known,  then  the  secret  is  unravelled.  The  challenge  then,  is  to 
find  the  values  of  a  and  bo,  if  they  are  unknown,  in  order  to  reconstruct  the  secret. 


2.4  Finding  the  Values  of  a  and  bo 

If  the  Lagrange  interpolation  is  performed  modulo  p,  then  finding  the  value  of  a  is  of  order 
0(pk),  and  likewise  for  the  finding  of  bo-  Therefore,  if  both  a  and  bo  are  unknown,  the 
whole  problem  of  finding  both  values  escalates  to  order  0(pk  x  Pk)  =  0(p2k). 
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The  famous  Pillai’s  conjecture,  and  various  other  conditions  related  to  the  conjecture,  are 
used  to  simplify  the  range  of  values  of  both  a  and  bo. 


11 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


12 


CHAPTER  3: 

Applying  Pillai’s  Conjecture  to  Secret  Sharing 

Schemes 


3.1  Pillai’s  Conjecture  (General) 

Herschfeld  (1936)  [4]  showed  that  the  equation  3A  —  2-v  =  c,  for  |c|  sufficiently  large,  has 
at  most  a  solution  in  positive  integers  x,y.  In  the  same  year,  Pillai  extended  this  result,  by 
considering  the  exponential  Diophantine  equation 

ax  —  by  =  c, 

and  proved  that  there  exists  a  finite  number  of  positive  integer  solutions  (. a,b,x,y  €  Z), 
with  x>2  and  y  >  2,  to  this  Diophantine  equation  [5],  provided  \c\  >  co(a,b),  for  some 
constant  co{a,b),  which  unfortunately  is  ineffectively  computable.  Pillai  conjectured  that 
co (3, 2)  =  13,  this  being  proved  in  1982  by  Stroeker  and  Tijdeman  [6],  using  methods  based 
on  Baker’s  linear  forms  in  logarithms.  The  general  Pillai’s  conjecture  (see  Conjecture  3.1.1, 
following)  that  gives  an  estimate  for  co  will  be  mostly  used  to  find  a  weakness  in  Shamir’s 
Secret  Sharing  Scheme.  The  quantitative  refinement  of  the  already  mentioned  (general) 
Pillai’s  conjecture  is  also  discussed  by  Waldschmidt  [5]. 

Conjecture  3.1.1.  For  any  e  >  0,  there  exists  a  constant  k(e)  >  0,  such  that,  for  any  positive 
integers  a,  b,x  >  2,y  >  2,  with  ax  y  />'  .  then 

\ax  —  by\  >  j c(e)  xmax(ax,^)(1“TH£).  (3.1) 


3.2  Fermat- Catalan  Conjecture 

This  conjecture  was  proposed  based  upon  both  Fermat’s  Last  Theorem,  and  Catalan’s  con¬ 
jecture.  In  1995,  Richard  Taylor  and  Andrew  Wiles  [7]  co-published  an  article  thereby 
proving  Fermat’s  Last  Theorem. 

Theorem  3.2.1.  Fermat’s  Last  Theorem  states  that  for  any  integer  n  that  is  greater  than  two, 
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there  do  not  exist  any  three  (strictly)  positive  integers  a,  b.  and  c  that  satisfy  the  equation 
an  +  bn  =  cn. 

Referencing  Conjecture  3.1.1,  in  2002,  Mihailescu  [8]  proved  Catalan’s  conjecture. 

Conjecture  3.2.1  (Mihailescu  Theorem).  The  only  solutions  to  the  equation  ax  —  by  —  1 
are  32  and  23. 

The  Fermat-Catalan  conjecture  combines  the  ideas  of  Fermat’s  Last  Theorem  and  Cata¬ 
lan’s  conjecture.  In  1995,  Darmon  and  Granville  [9]  proved  the  conjecture. 

Conjecture  3.2.2.  The  equation  am  +  bn  =  ck  has  a  finite  number  of  solutions  that  satisfy 
the  inequality  ^  +  \  +  \  <  1. 

Definition  3.2.1.  Two  integers  a  and  b  are  coprime  if  the  only  positive  integer  that  evenly 
divides  both  a  and  b  is  1,  that  is,  if  their  greatest  common  divisor,  gcd(a,b)  =  1. 

3.3  Motivation 

By  Theorem  3.2.1  and  Conjecture  3.2.2,  it  is  inferred  by  Waldschmidt  [5]  that,  Ve  >  0, 
=3fc(e)  >  0  such  that 

ax  —  =  c  =»  \ax  —  by\  >  7c(e)  x  max(aK,by)l~^~y~E.  (3.2) 

From  Catalan’s  conjecture,  the  equation  ax  —  by  yields  a  constant  c.  This  relationship  is 
used  in  conjunction  with  the  Fermat-Catalan  conjecture  in  Definition  3.2.2  to  improve  the 
efficiency  in  recovering  the  secret  in  secret  sharing  schemes.  The  motivation  is  thus  to 
streamline  the  ranges  between  ax  and  by  such  that  the  maximum  value  between  these  two 
components  can  be  easily  found.  Coupled  with  the  relationship  that  the  power  (1  —  ^  ^  — 

e)  is  always  <  1,  the  final  value  of  \ax  —  by  will  be  even  smaller.  This  will  greatly  reduce 
the  computational  complexity  involved. 

Applications  of  this  relationship  are  further  discussed  in  the  next  chapter. 
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CHAPTER  4: 
Exploring  Secret  Sharing 


4.1  Applying  Fermat- Catalan  Conjecture  to  Secret  Shar¬ 
ing  Scheme 

Consider  the  following  analysis  for  the  {k+l,n}  threshold  scheme. 

Let  f(x)  be  defined  as  the  degree  k  polynomial  generated  by  the  dealer: 

f(x)—ao-\-aix  +  a2X2-\ - fapr,  (4.1) 

where  ciq  is  the  secret  to  be  shared. 

Assume  that  there  exists  a  e  Zp,  such  that  h(x)  =  fix  —  a)  =  xk  —  bo  (consider  that  the 
dealer- generated  polynomial  is  monic  —  the  case  of  non-monic  polynomials  can  still  be 
dealt  with,  but  one  needs  at  least  three  shares  to  be  known).  In  this  case,  the  leading 
coefficient  of  the  highest  degree  term  xk  is  1 . 

Let  /(jci),/(jc2),  ...,/(; c„)  be  defined  as  the  shares  to  be  handed  out,  where  /(x,)  =  yt.  If 
/(xi),/(x2), . . .  ,/(x„)  are  known,  then  the  following  can  be  inferred: 


(xi  -  a)k  -bo  =yi, 


(x2  —  a)k  —  b0  =  yii 


(• xn-d)k -bo  =  yn ■ 

It  must  be  noted  that  any  set  of  k+  1  shares  is  sufficient  to  recover  the  secret,  even  though  a 
total  of  n  shares  are  generated.  This  is  the  core  essence  of  Shamir’s  Secret  Sharing  Scheme. 
However,  under  the  assumption,  it  is  possible  to  recover  the  secret  with  significantly  fewer 
shares,  in  this  case,  two. 
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Taking  the  difference  of  any  two  equations,  this  leads  to  the  generalized  equation  where  bo 
is  eliminated: 

0 ;  -  oc)k  -  (xj  -  a)k  =  yt-yj,  (4.2) 

where  1  <i<j<  n. 

Note  that  the  right-hand  side  is  known  since  those  are  the  outputs  generated  and  distributed 
by  the  dealer  to  various  participants. 

Referencing  the  extension  of  Pillai’s  Diophantine  equation  in  Eqn.  (3.1)  leads  to 

i _ i _ i _ _ 

\ax  -  by\  >  k(e)  x  max(a  ,by)  x  >’  . 

Replacing  ax  with  (vy  —  a)x,  and  by  with  (xj  —  a)y  leads  to 

|  (xi  -  a)x  -  (xj  -  a)-v|  >  fc(e)  x  max(\xi  -  a\k,  \xj  -  a\k)1  x  y  e . 

For  the  purpose  of  secret  sharing,  let  x—y  —  k,  which  results  in 

|  (xi  -  a)k  -  (xj  -  a)k\  >  k(e)  x  max(\xi  -  a\k,  \ xj  -  a|fc)  k  k  . 

Using  Eqn.  (4.2)  in  the  left-hand  side  of  the  above  inequality,  it  is  finally  deduced  that 
Ve  >  0,  3k(e)  >  0,  such  that 

\yi  —  yj\  >  k(e)  x  max{\xi  —  a\k ,  \xj  —  a\k )  k  .  (4.3) 


4.2  Significance  of  k(s) 

In  1970,  Marshall  Hall,  Jr.  [10],  proposed  to  remove  the  value  of  k(£)  for  the  quantitative 
case  when  x  —  3  and  y  —  2. 


Conjecture  4.2.1.  There  exists  an  absolute  constant  C  >  0  such  that,  for  any  pair  of  (v.y) 
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of  positive  integers  satisfying  x3  /  y2, 


—  y2\  >  C  x  max(x3.y2) 


This  is  also  known  as  Hall’s  conjecture,  which  will  be  drawn  upon  to  further  simplify  the 
problem  (for  example,  it  is  further  believed  that  C  <  0.96598 . . .). 

Presumably,  k(e)  is  computable  and  quite  small  (e.g.,  see  Bennett’s  work  on  Pillai’s  conjec¬ 
ture  [1 1],  in  particular  when  \a  —  b\  —  1),  so  for  this  purpose,  it  is  possible,  for  example,  to 
assume  £  to  be  strictly  less  than  1  —  f ,  in  order  to  find  the  finite  bounds  for  |.r,  —  cc\.  \xj  —  a 
(see  the  analysis  in  the  following  sections) . 

4.3  Forming  the  Inequalities  to  Find  the  Bounds  for  Com¬ 
puting  the  Value  of  a 

Focusing  on  the  right-hand  side  of  Eqn.  (4.3),  and  assuming  k(£)  —  1,  the  following  arith¬ 
metic  is  performed  on  one  of  the  terms: 

i  2  o  k—2—ke  ,  ^ 

{\xj~a\k)  E  =  (\Xj-  a\k)  k  ={\xj-a\)k-2-ke.  (4.4) 

From  Inequality  (4.3),  it  is  inferred  that 

I xj-a\k~2~ke  <  \yi-yj\, 

\xj-a\<\yi-yj\*&&«  (4.5) 

With  this  inequality,  the  complexity  of  the  problem  is  now  significantly  reduced.  It  is  now 
reduced  to  simply  finding  the  values  of  a  from  Eqn.  (4.5),  whereby  the  values  of  xj.yi.yj.k, 
and  £  are  known,  and  are  small  enough  to  compute. 

The  order  of  computational  difficulty  is  now  reduced  significantly  from  the  initial  order  of 
0(pk),  or  0(p2k )  if  there  are  two  unknowns. 

Applying  (an  extension  of)  Hall’s  conjecture,  whereby  the  value  of  £  is  assumed  to  be  0, 
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Eqn.  (4.5)  now  reduces  further  to 


(\xj-a\)  <\yi-yj\k-2.  (4.6) 

4.4  Dissecting  the  Inequalities 


It  was  assumed  that  3a  such  that  h(x)  —  f(x  —  a)  —  xk  —  bo,  for  certain  cases  of  the  poly¬ 
nomial  form  that  was  generated  by  the  dealer. 

Since  f(x  —  a)  —  xk  —  bo,  this  can  be  rewritten  as  f(x)  —  (x  +  a)k  —  bo . 

In  a  {k+l,n}  threshold  scheme,  n  shares  are  generated,  namely  (x  | ,  y  i ) ,  (. x2,y2 ),  •  •  •  ,  {xn,yn), 
where  y,  =  f(xj),  for  1  <  i  <  n. 

Consider  the  case  where  it  is  sufficient  to  pool  together  two  known  pairs  (shares).  There¬ 
fore,  the  following  is  derived: 

yi  =  {x\  +  a)k-bo, 
yi  =  (x2  +  a)k  -bo, 
yi  -yi  =  {*\  +  ocf  -  (x2  +  a)k, 

or, 

yi-yi  =  {■ x2  +  otf  -  (*i  +  a)k . 

Solving  for  the  value  of  a  is  not  trivial  for  large  values  of  k,  especially  if  k  is  prime.  A 
prime  k,  however,  will  allow  performing  finite  field  arithmetic  to  reduce  the  bounds  of  a, 
which  is  discussed  later  in  greater  detail. 

For  simplicity’s  sake,  the  labels  A  :=  x\  +  a,  and  E  :  =  a'2  +  a  are  applied,  hence  Ak  — 
(jci  +  a)k,  and  Mk  =  (x2  +  cc)k.  In  addition,  it  is  clear  that  (A  —  B)  =  {x\  —x2). 

The  following  identity  is  used 

(Ak  —  B*)  -  (A-B)  x  {Ak-1+Ak~2M+---+AMk-2  +  Mk-1), 
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to  infer 


Ot  -  y2)  =  Ot  -  X2)  X  (A*- 1  +  A*-2®  +  •  •  •  +  A#'-2  + 1*-1 ) , 

yi~yz  =  (A*-1+A*-2B  +  -”+AB*-2  +  B*-1). 

*1  —  X2 

It  is  obvious  that  the  following  inequality  holds: 

( | A | 1  +  |A|jt~2|IB|  +  •  •  •  +  |A||B|fc_2  +  |B|^_1)  >  max (|A|fc_1,  |B|*_1).  (4.7) 

Eqn.  (4.7)  is  now  used  to  consider  all  possible  cases  of  polarity  for  the  values  of  A,  B, 
and  parity  for  the  values  of  k.  Note  that  since  k  is  a  known  positive  value,  and  >  2,  it  is 
necessary  to  only  consider  cases  where  k  is  either  even  or  odd.  For  the  case  where  k  —  2,  it 
is  easy  to  find  a  since  y \  —  yi  is  just  the  difference  of  squares. 


4.4.1  Case  1  —  [A>0,B>0] 

Without  loss  of  generality  (WLOG),  assume  that  A  >  B  (equality  cases  are  impossible). 
Therefore,  the  following  is  obtained: 

=  ( 1  +  A*-2B  H - b  AB*”2  +  B^” 1 ) , 

X\  —X2 


yi-yi 

X\-X2 


>  max(\A\k~l ,  | B | 1 )  =  |A|^-1, 


i -yi 

X|  —X2 


>  (|*1  +  <*!), 


— ( - )*-i  —xi  <  a  <  ( - )*-i  —xi. 


Xl  x2 


Xi  —X2 


With  the  known  values  of  x\,  X2,  y i,  yi,  and  k,  respectively,  both  lower  bounds  and  upper 
bounds  of  a  are  found. 

For  the  case  where  both  A  and  B  are  positive,  the  parity  of  k  does  not  matter  since  applying 
the  same  exponential  power  to  both  A  and  B  does  not  change  the  comparison  between 
them.  To  be  more  encompassing,  it  is  therefore  necessary  to  consider  different  parity  cases 
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of  the  value  of  k,  along  with  the  polarities  of  both  A  and  B.  Instead  of  always  assuming 
that  A  >  B  for  all  cases  (since  the  value  of  a  is  unknown  at  this  point),  the  polarity  of  the 
denominator  (jci  —  xi)  is  also  included  in  each  individual  case  analysis. 

4.4.2  Case  2  —  [A  <  0,  B  >  0]  [k  odd] 

With  these  constraints,  and  since  k  is  odd, 

yi-yi=  B*-A*, 

=  B^+  |A|fc, 

>  max( Mk,  | A| . 

Again,  WLOG,  consider  the  case  where  Mk  >  |A|fc: 

y2~yi  >  max(Mk,  |A|a')  >  Bfc, 

{yi-yi)*  >  B, 

(yi-yx)*  >  \xi  +  a\, 

-{yi-yi)*  -X2  <oc<  fo-yi)*  —X2. 

With  this,  the  lower  and  upper  bounds  of  a  can  be  found  easily.  It  is  impractical  to  reduce 
Mk  + 1  A|/x  according  to  the  identity  that  was  mentioned  earlier,  as  it  would  be  indeterminable 
whether  B  +  |  A|  would  be  a  positive  value,  and  hence  the  maximum  inequality  would  not 
apply. 

4.4.3  Case  3  —  [A  >  0,  B  <  0]  [k  odd] 

In  this  case,  since  k  is  odd,  the  following  is  obtained: 

y2-yi=Mk-Ak, 

yi-y2  =  Ak-nk  =  Ak+\n\k>  |A|*, 

Ot -yi)*  >  |A|, 
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Oi -yi)*  >  \xi  +  a|, 

-(ji  -yi)^  ~x\  <oc<  (y i  -y2)*  -*i- 

This  essentially  gives  similar  results  as  Case  2,  except  for  the  value  interchange  between  y\ 
and  y2,  and  x\  being  used  as  the  variable  difference  in  this  case. 


4.4.4  Case  4  —  [A,  B  <  0]  [k  odd] 

Consider  the  last  case  of  odd  k,  with  both  parameters  less  than  0.  The  following  is  obtained: 

y2-yi=  Mk-A\ 

=  —  |B|*  +  \A\k, 

=  |A|*-|®I*- 


WLOG,  assume  that  |A|  >  |B|.  Therefore, 

0<y2-y1  =  |A|"-|IB|fc, 

-  (| A|  -  |B|)  x  (lAI^1  +  |A|fc"2|®|  +  •  •  •  + 

=  (.V!  -x2)  x  ( | A | 1  +  |A|^-2|B|  +  •  •  •  +  Ilf-1), 

>  IAI*-1. 

Thus, 

y2-yl>\A\k-\ 

(. yi-yi )^T  >  |A|, 

(yi—yi)^  >  \xi  +  a|, 

-(yi-yi)1^1  -x\  <a<  {y2-y\)jrj -x\. 

Case  4  now  concludes  the  analysis  for  odd  values  of  k.  The  analysis  focus  is  now  shifted 
to  even  values  of  k. 
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4.4.5  Case  5  —  [A  <  0,  B  >  0]  [k  even] 

Since  k  is  even,  the  following  is  obtained: 

y2-yi=Mk-Ak, 

=  B^  —  \  A\k. 

WLOG,  now  assume  that  B  >  |A|.  The  following  is  obtained: 

0<y2-yl=Mk-\A\k1 

=  (B  —  |A|)  x  (B^-1  +Bfc_2|A|  H - h  |A|fc_1), 

=  (jc2-*i)x  (B*-1  H-B*-2^!  H - 1-  |A|*_1), 

>  |A|fe_1. 


yi-yi  >  \xi  +  a\k~l, 

(y2~yi)*=i  >  |.vi  +  a|, 

-(>'2  —  >'i  )*  1  --vi  <  a  <  (y2  -yi)  W  —x\. 

4.4.6  Case  6  —  [A  >  0,  B  <  0]  [k  even] 

With  these  constraints,  and  k  odd, 

y2  —  y  i  =Bk-Ak, 

=  |  B  |  ^  —  A* . 

Now,  WLOG,  assume  that  |B|  >  A.  Therefore, 

0<V2-Jt  =  |B|fe-A^, 

=  (|B|  —  A)  x  ( | B | 1  +  |B|^— 2A H - h Afc_1), 

=  (*2  -  *t)  X  ( |B|*— 1  +  |B|fe-2A  +  •  •  •  +  A*-1), 
>  \M\k~l. 
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y2-yi>\M\k~l, 
yi-yi>  \x2  +  a\k~l, 

(y2-yx)*=i  >  \x2  +  a\, 

—  ( >'2  —  v  1 ) *  1  -*2  <  a  <  (.V'2  V | ) *  1  ~X2. 

4.4.7  Case  7  —  [A,  B  <  0]  [ k  even] 

The  last  case  for  even  k,  with  these  constraints,  are  as  follows: 

y2-yi  =  Mk  -Ak, 

=  |®|*-|A|fe. 

At  this  point,  WLOG,  assume  that  |B|  >  |A|.  Therefore, 

0<y2-yi  =  \M\k-\A\k, 

=  (|B|  -  |A|)  x  +  |1|^2|A|  +  •  •  •  +  | A | 1 ) , 

-  (x2 -X{)  x  (I®!"-1  +  |®|a'-2|A|  +  •  •  •  +  lAI^"1), 

>  |B|*-1. 

This  will  produce  the  same  results  as  Case  6,  where  the  lower  and  upper  bounds  are  con¬ 
strained  by 

yi-yi  > 

yi-yi>  \x2  +  cc\k~1, 
iyi-yx)^1  >  \x2  +  a\, 

— (y  2  —  v  i )  *  x2  <a<  iyi-yi)^ -x2. 
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4.4.8  Summary  of  Inequality  Analysis 

The  results  obtained  from  the  seven  cases  are  summarized  in  Table  4.1. 

Table  4.1:  Summary  of  a  Boundaries 


Case 

Polarity  of  A,  B 

Parity  of  k 

Boundaries  of  a 

1 

A  >  B  >  0 

N.A. 

Ar 

l-ii 

(Nl  (N 

1  1 

~Xl 

< 

a 

< 

-x2>  i 

~X\ 

2 

A  <  0,B  >  0,Bfc  >  \A\k 

Odd 

—  CV2 

-y  i)~k 

~x2 

< 

a 

< 

02 

-yi)1  - 

~X2 

3 

A  >  0,  B  <  0,  Afc  >  |B|fe 

Odd 

— Cvi 

-yiYk 

-Xl 

< 

a 

< 

Cvi 

-yi)~k  - 

-xi 

4 

A,B  <  0,  A  >  B 

Odd 

-(.V2- 

yi)^i 

-Xl 

< 

a 

< 

CV2 

-yi)^i 

-  -Xi 

5 

A  <  0,B  >  0,B  >  A 

Even 

-(>2- 

vi  )* -1 

-Xl 

< 

a 

< 

iyi 

-yi)^1 

-  -Xl 

6 

A  >  0,B  <  0,  B  >  A 

Even 

-(y2- 

yi)^ 

-x2 

< 

a 

< 

{yi 

-yi)^ 

1  -X2 

7 

A,B  <  0,  B  >  A 

Even 

-(.V2- 

yi)F^ 

X2 

< 

a 

< 

(yi 

-yi)^ 

:  ~X2 

4.5  Analysis  of  Bounds 

The  start  state  to  form  the  lower  and  upper  bounds  is  to  take  the  difference  between  the 
two  y- values  that  were  easily  obtained  publicly.  For  simpler  calculations,  a  positive  differ¬ 
ence  can  be  obtained  by  identifying  the  bigger  component  and  then  subtracting  the  smaller 
component  from  it. 

It  was  found  that  both  the  lower  and  upper  bounds  of  a  are  constrained  by  the  differences 
in  the  kth  or  (k  —  1  )lh  root  of  the  y- value  differences  and  the  ^-variable,  or  vice  versa, 
depending  on  the  assumption  of  whether  Ak  or  Mk  is  larger. 

The  initial  assumption  was  that  computation  may  be  easier  with  even  values  of  k ,  since 
even  powers  of  positive  or  negative  functions  still  produce  positive  results.  However,  it 
was  found  that  the  factor  that  limits  computational  efficiency  is  the  presence  of  absolute 
values  of  either  A  or  B.  For  absolute  values,  there  is  no  easy  way  to  determine  whether  the 
actual  result  would  be  positive  or  negative,  and  hence  the  inequalities  identity  needed  to  be 
applied  in  order  to  find  the  bounds  of  a. 

The  crux  is  that  as  long  as  two  shares  are  gathered  together,  the  value  of  a  can  be  de- 
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rived  easily  through  exhaustive  means.  The  computation  is  simplified  even  further  if  the 
differences  between  the  y,  values  found  are  small. 

Once  the  value  of  a  is  found,  it  then  remains  to  substitute  back  into  the  general  equation 
yi  —  (xi  +  a)k  —  bo  to  determine  bo-  When  bo  is  found,  it  is  trivial  to  find 

f(x)  =  (x  +a)k-b0, 


/( 0)  =  ak  —  bo  —  secret. 


4.6  Cases  over  Finite  Field  Zp 

Computing  the  above  arithmetic  over  the  infinite  integer  ring  Z  will  result  in  large  ranges 
of  a  for  which  the  initial  polynomial  can  be  expressed  as  the  form  f(x)  =  (x  +  a)k  —  bo. 
If  the  above  arithmetic  is  computed  over  the  prime  field  7Lp  instead,  then  the  polynomial 
form  of  f(x)  =  (jc+  a)k  —  bo  could  be  achieved  easier  as  many  of  the  coefficients  would 
be  reduced  to  0  after  performing  modular  arithmetic  over  the  prime  field.  Thus,  there  is 
justifiable  motivation  behind  the  modular  prime  arithmetic  to  reduce  the  ranges  of  a  to  be 
finite  and  more  manageable. 

It  was  discussed  earlier  that  the  general  equation  f(x)  —  ao  +  a\x  H - b  a^xk  can  be  ex¬ 

pressed  as 


f(x)  =  ( x  +  a)k-b0 , 


xk  +[^\x('k  1  )x('k  2)a2H - baK 

k- 1 

Jc  ,  „  Jk-i) 


b0, 


:  +  ^  cix  >C  1  +  ak 


i=  1 


-Re¬ 


computing  arithmetic  over  Z^,  where  k  is  prime,  gives  the  following  result: 


f(x)  —  xk  +  ak  —  bo- 


And  the  secret  is  recovered  as  /(0)  =  ak  —  bo- 
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4.7  Computational  Example 

A  computational  example  is  used  to  illustrate  the  effectiveness  of  the  analysis. 


4.7.1  Trivial  Case 

The  following  (3, example  has  n  shares  and  a  threshold  of  3  with  n  participants  and  1 
dealer.  Consider  the  quadratic  (degree  3  —  1  =  2)  polynomial  generated  by  the  dealer  to  be 

f(x)  =  7  +  4x  +  x2. 


The  dealer  then  generates  the  following  n  shares  to  be  released  to  the  public,  namely 
(1, 12),  (2, 19),  (3,28),  (4,39),  (5,52),  (6,67 )---(xn,yn).  It  is  only  necessary  to  find  any 
combination  of  two  shares  to  determine  the  value  of  a. 

For  example,  if  two  shares,  Share#l  (2, 19)  and  Share#2  (4, 39),  are  found  by  any  individ¬ 
ual,  the  general  equation  f(x)  =  (x  +  a)k  —  bo  can  be  used  as  a  base,  and  the  public  share 
values  that  were  obtained  can  be  substituted  into  the  general  equation: 

GeneralEqn  :  f(x)  =  (x  +  a)k  —  bo, 

Share #1  :  19  =  (2  +  a)k  —  bo, 

Share #2  :  39  =  (4  +  a)k  —  bo, 

Share #2  —  Share #1  :  20  =  (4  +  a)k  —  (2  +  a)k 

In  this  trivial  example,  if  the  dealer  dictated  that  any  two  shares  are  enough  to  recover  the 
secret  (k  +  1  =  3),  then  finding  the  value  of  a  is  trivial,  as  one  could  use  the  difference  of 
squares  factoring.  In  the  case  of  k  =  2,  then 

20  =  (4  +  a)2  —  (2  +  a)2, 

=  (4 +  a +  2  + a)  x  (4+  a  —  2  —  tx) , 

=  (6  +  2a)  x  (2). 

.-.  a  =  2. 
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Computing  bo. 


b0  =  (2  +  a)2-  19, 

=  (2  +  2)2  —  19, 

—  — 3, 

which  gives  the  secret  as 

/(0)  =  (0  +  2)2  — (-3), 
=  7. 


4.7.2  General  Cases  of  k 

Consider  another  numerical  example,  a  {4 ,n}  threshold  scheme,  where  the  dealer¬ 
generated  polynomial  is 

/(x)  —  x3  +  6x 2  +  12x  +  5. 

The  secret  is,  of  course,  S  —  ciq  =  5.  The  public  shares  generated,  of  the  form  (x,-,y,-)>  are 

(1.24) ,  (2,61),  (3, 122),  (4,213),  (5,340),  •  •  •  ,  (xn.yn).  Assuming  that  two  random  shares, 

(1.24)  and  (3, 122),  are  obtained  by  an  eavesdropper,  and  the  eavesdropper  decomposes 
the  public  shares  into  the  generalized  formula  >’/  =  (x,  +  a)k  —  bo  for  secret  recovery,  where 
k  =  3, 

24  =  (1  +  a)3  —  &0, 

122  =  (3  +  a)3  —  bo, 

(122-24)  =  (3  +  a)3-(l  +  a)3.  (4.8) 

This  essentially  gives  a  cubic  polynomial  to  solve  for  the  value  of  a. 

Next,  consider  the  general  case  for  k  values.  For  a  {k+  \  .n  \  threshold  scheme,  the  gener¬ 
alized  form  is 

yi  -  yj  =  (xi  +  a)k  -  (xj  +  a)k.  (4.9) 

The  problem  now  reduces  to  finding  the  value  of  a,  and  it  can  be  challenging  depending 
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on  how  large  k  is. 

The  analysis  provided  a  convenient  reference  table  in  Table  4.1.  In  the  numerical  example 
in  this  section,  the  boundaries  of  a  would  be  one  of  Cases  2,  3,  or  4  (with  k  odd).  Hence, 
a  satisfies  one  of  the  following  inequalities  (Case  2  =  Case  4): 

-{yi-yiYk  xi  <cc<  (y2-yi)k  -x2. 

or 

-(yt -yi)^1  -xi  <a<  (yi  -yi)1^ -x\. 

Substituting  all  the  known  values  from  the  public  shares,  and  combining  all  the  known 
information,  the  following  is  obtained: 

^—98  —  3  <  a  <  ^98-3. 

Since  a  is  an  integer,  the  ceiling  of  the  bounds  is  taken  and  the  following  is  obtained: 

-8  <  a  <  2. 

With  these  values  of  a ,  the  value  of  bo  can  be  found  easily.  Table  4.2  shows  the  values 
found  from  the  iteration. 
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Table  4.2:  Possible  Secret  Values 


a 

bo 

Secret  =  /(0)  =  (a)k  —  bo 

-8 

-367 

-145 

-7 

-240 

-103 

-6 

-149 

-67 

-5 

-88 

-37 

-4 

-51 

-13 

-3 

-32 

5 

-2 

-25 

17 

-1 

-24 

23 

0 

-23 

23 

1 

-16 

17 

2 

3 

5 

It  is  easy  to  compute  from  Eqn.  (4.8)  that  a  =  2,  and  therein  lies  the  secret  value  S  — 
ao  —  5.  From  Table  4.2,  the  eavesdropper  knows  that  the  secret  is  one  of  the  11  values 
of  /( 0).  Hence,  from  an  infinite  number  of  choices  (or  a  large  finite  number  of  choices), 
with  just  two  known  shares,  the  eavesdropper  has  reduced  the  number  of  secret  possibilities 
drastically. 


29 


4.7.3  Common  Factors  in  Polynomial  Coefficients 

The  significance  of  a  can  be  related  in  the  generalized  form  of  f(x)  =  (x  +  a)k  —  bo.  If  the 
dealer-generated  polynomial  contains  coefficients  that  have  a  common  factor(s),  then  it  is 
clear  that  a  can  take  on  the  values  of  the  common  factor(s).  This  observation  came  from 
the  fact  that  the  generalized  form  of  f(x)  is  essentially  a  binomial  expansion  of  the  first 
term,  and  hence,  the  dealer  needed  to  be  careful  when  randomly  generating  the  coefficients 
to  form  the  polynomial  for  secret  sharing. 

The  above  finding  leads  to  another  observation.  If  the  dealer  generates  a  polynomial  con¬ 
taining  prime  coefficients,  then  the  generalized  system  derived  from  this  thesis  would  not 
be  applicable,  as  there  are  no  common  factors  in  prime  coefficients. 

4.7.4  Outcome 

In  a  bid  to  continue  finding  ways  to  simplify  a  given  polynomial  to  linear  or  monic  form, 
the  Fundamental  Theorem  of  Algebra  [3,  pp.  254,  288]  is  referenced.  The  theorem 
states  that  any  polynomial  f(x),  can  be  factorized  over  the  complex  number  field  C,  as 
f(x)  =  an  n;=  i  (x  —  a,-),  where  n  is  the  degree  of  the  polynomial  fix).  For  this  analysis, 
by  extension,  this  essentially  means  that  any  given  dealer-generated  polynomial  (including 
non-monic  polynomials)  can  be  reduced  to  monic  polynomials  such  that  the  generalized 
form  of  f(x)  —  (jc  +  a)k  —  bo  can  be  applied  to  reconstruct  the  secret  from  just  two  public 
shares. 

It  was  claimed,  and  found,  that  not  all  monic  polynomials  can  be  reduced  to  the  general 
form  as  proposed  in  this  thesis.  For  non-monic  polynomials,  an  eavesdropper  or  outsider 
can  attempt  to  transform  the  polynomial  to  either  a  non-linear,  or  a  monic  polynomial  form. 
Opportunities  for  future  work  of  this  nature  are  discussed  in  Chapter  6. 

Therefore,  it  is  important  for  the  dealer  to  generate  the  secret  polynomial  with  coefficients 
that  do  not  contain  a  common  factor.  More  often  than  not,  the  common  factor  could  be  the 
value  of  a  for  an  eavesdropper  or  outsider  whose  main  purpose  is  to  reconstruct  the  secret 
efficiently  by  using  only  two  public  shares  that  are  obtained  easily. 
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CHAPTER  5: 

Side-Channel  Effect  on  AES 


In  cryptography,  instead  of  gaining  access  to  a  cryptosystem  through  its  algorithm,  side- 
channel  attacks  are  any  form  of  attacks  that  are  based  on  any  viable  information  from  the 
physical  implementation  of  such  a  cryptosystem.  Common  physical  parameters,  including 
power  consumption,  timing  codes,  and  operating  noise  level,  can  be  used  to  provide  a 
means  of  breaking  into  and  crippling  the  cryptosystem. 

This  section  discusses  how  the  algorithms  derived  in  Chapter  4  can  be  utilised  to  guard 
against  side-channel  attacks. 

5.1  Cryptographic  Complexity 

A  variation  of  a  secret  sharing  scheme  without  the  use  of  a  cryptographic  key  is  elaborated 
here. 


•  Encode  the  desired  secret  Kp  to  be  an  arbitrary  binary  string  of  length  /. 

•  Generate  n  random  binary  numbers  A\ , A2,  ■  ■  •  ,An,  whose  bit  lengths  are  equal  to  the 
size  of  the  secret  key  Kp,  that  is,  also  of  length  /. 

•  Give  to  each  participant  one  of  Ai,A2,  •  •  •  ,AW_  1,  except  for  the  last  participant  who 
receives  the  result  of  the  following  XOR  function  (Kp  ©Ai  ©  A2  ©  •  •  •  ©A„_i). 

•  The  secret  can  thus  be  recovered  by  gathering  all  of  the  participants’  values  and 
performing  ©  operations  on  all  of  them. 

This  exclusive-or  (XOR)  variation,  however,  requires  that  all  of  the  shares  be  pooled  to¬ 
gether  in  order  to  recover  the  secret  key  Kp.  Compared  to  SSSS,  this  XOR  method  is 
relatively  more  straightforward,  but  offers  a  higher  level  of  security  since  all  of  the  partici¬ 
pants’  shares  need  to  be  present  in  order  to  recover  the  secret. 

Blakley  [2]  made  use  of  the  properties  of  space  dimensions  to  implement  his  idea  of  an 
ideal  secret  sharing  scheme.  In  a  three-dimensional  space,  three  non-parallel  planes  will 
intersect  at  a  specific  point,  and  that  point  of  intersection  constitutes  the  desired  secret.  In 
a  {3,n}  threshold  scheme,  where  three  shares  are  required  to  recover  the  secret,  one  can 
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still  obtain  some  information  about  the  secret.  Graphically,  this  can  be  viewed  as  having 
information  about  the  intersection  of  two  non-parallel  planes,  which  produces  a  line.  The 
secret  is  thus  narrowed  down  to  an  arbitrary  point  along  the  line,  which  can  be  easily 
recovered  by  substituting  all  the  known  axis  values  into  the  equation  of  the  intersected  line. 

The  algorithm  and  reasoning  described  in  Chapter  4  made  use  of  the  fact  that  the  secret 
can  eventually  be  recovered  when  partial  information  regarding  the  shares  is  known.  The 
principle  behind  forming  the  inequalities  is  to  apply  viable  heuristics  to  narrow  down  the 
possibilities  of  unknown  factors  to  a  manageable  size  and  then  to  recover  the  secret  using 
exhaustive  search  methodologies. 

5.2  Cryptographic  Attacks 

Chapter  2  described  the  importance  of  the  dealer.  Here,  the  importance  of  the  dealer  is  am¬ 
plified  again  during  cryptographic  attacks,  where  cyber  attackers  could  hack  into  unsecured 
systems  through  side-channel  attacks  and  steal  the  shares  that  should  remain  privy  to  only 
the  participants.  Since  it  would  be  impractical  to  regenerate  the  secret,  uncompromised 
shares  could  still  be  updated  and  renewed  to  generate  new  shares  for  the  participants.  The 
non-updated  shares  that  the  attackers  possess  would  become  useless  unless  the  attackers 
continue  to  obtain  enough  non-updated  shares  to  reach  the  original  threshold.  The  attack¬ 
ers  would  not  be  able  to  gain  much  information  if  they  were  to  steal  the  updated  shares 
since  these  updated  shares  provide  only  random  information  to  the  attackers.  The  dealer, 
in  this  scenario,  possesses  the  ability  to  renew  the  shares,  and  in  the  process,  render  the 
non-updated  shares  irrelevant. 

5.3  AES 

In  2001,  the  Secretary  of  Commerce  approved  and  issued  the  Federal  Information  Pro¬ 
cessing  Standards  Publications  (FIPS  PUBS)  detailing  the  AES  that  can  be  used  to  pro¬ 
tect  electronic  data.  Essentially,  AES  refers  to  a  symmetric  block  cipher  that  can  encrypt 
(encipher)  and  decrypt  (decipher)  information.  Importantly,  current  AES  algorithms  are 
capable  of  using  cryptographic  keys  of  128,  192,  and  256  bits  to  encrypt  and  decrypt  data 
in  128-bit  blocks.  The  current  AES  became  effective  from  2001  onwards  [12].  In  par¬ 
ticular,  the  current  AES  is  a  block  cipher  that  iterates  ten  cycles  of  repetitions  of  trans¬ 
formation  rounds,  with  each  of  these  transformation  rounds  involving  the  four  stages  of 
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AddRoundKey,  ShiftRows,  MixColumn,  and  SubByte,  thus  ensuring  and  enhancing  the 
security. 

5.4  Implementing  AES  with  SSSS 

Goubin  and  Martinelli  [13],  in  2011,  proposed  an  original  masking  scheme  that  is  based 
on  SSSS  that  served  as  an  alternative  to  Boolean  masking.  Goubin’s  scheme  built  upon  a 
credible  complexity-security  trade-off  compared  to  Boolean  masking.  Typically,  the  pro¬ 
posed  SSSS  masking  is  centered  around  the  signal-to-noise  ratio  (SNR)  generated  by  the 
crypto  application.  For  example,  applications  involving  smart  card  implementation  tend  to 
have  a  higher  SNR,  and  it  was  found  that  the  first-order  of  SSSS  masking  provided  better 
security  and  less  complexity  than  third-order  Boolean  masking.  For  hardware  implemen¬ 
tations  where  the  noise  can  be  reduced  drastically,  the  same  first-order  of  SSSS  masking 
can  produce  results  that  are  comparable  to  the  fourth-order  of  Boolean  masking,  thereby 
amplifying  the  advantages  of  SSSS  masking  for  applications  of  low  SNR. 

Following  Goubin  and  Martinelli’s  [13]  claim  of  better  efficiency  in  their  proposed  scheme 
of  SSSS  masking  versus  Boolean  masking,  Coron  et  al.  [14],  in  2013,  exhibited  a  flaw  in 
this  scheme  by  proving  that  the  scheme  can  always  be  broken  by  a  first-order  side-channel 
analysis  (SCA).  In  addition,  Coron  et  al.  proposed  an  improvement  to  the  evaluation 
of  the  k-degree  polynomial  using  Discrete  Fourier  Transformation  (DFT)  that  reduces  the 
evaluation  time  taken  from  0(n2)  to  C)(n),  thereby  effectively  reducing  the  complexity 
from  third  order  to  second  order. 

Consider  the  success  of  reducing  the  computational  complexity  of  manipulating  a  k,h- 
degree  polynomial  into  a  manageable  polynomial  of  the  form  f(x )  =  (x  +  a)k  —  bo,  with 
smaller  cardinality.  The  masking  field  operations  in  [13]  similarly  introduced  two  sensitive 
variables  b  and  u  following  SSSS.  The  XOR  operation  with  the  second  variable  u  was 
used  to  mask  the  sensitive  variable  b,  where  b  —  (x,,y,-),  0  <  i  <  k(degree )  in  the  following 
manner: 

(x'ny'i)  (■ *i,yi®u ). 

Multiplication  by  any  scalar  c  will  yield  the  following: 


(x'i,y'i)  ( Xi,yi-c ). 
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Working  in  a  field  of  characteristic  2  squaring  is  GF(  25  6) -linear: 


(W;)- 


Here,  it  is  noted  that  the  product  of  two  newly  introduced  variables  that  are  protected  by 
any  secret  sharing  scheme  cannot  be  solved  using  any  algebraic  transformation  that  is  linear 
in  nature,  since  taking  the  product  of  two  k  -degree  polynomials  will  yield  a  polynomial 
with  at  most  2k  degree  in  this  finite  field.  In  such  cases,  linear  approximation  will  not  be 
possible. 

In  the  same  research  paper,  Goubin  and  Martinelli  [13]  also  stated  that  the  security  of  SSSS 
against  any  form  of  SC  A  is  based  on  the  following  selected  points: 

•  For  polynomial  interpolation,  at  least  (k+  1)  shares  are  required  to  define  a  polyno¬ 
mial  of  degree  k. 

•  The  computation  of  /,•  (x)  is  independent  of  any  secret  share  that  can  be  found. 

Through  these  findings  by  Goubin  and  Martinelli,  the  analysis  in  the  earlier  chapters  can 
be  similarly  extended  to  the  following: 

•  The  computation  of  li(x),  and  subsequently  the  secret,  is  independent  of  any  public 
shares  that  can  be  obtained. 


5.5  Monic  Generator  Polynomial  for  Secret  Sharing 

The  analysis  in  Chapter  4  provides  an  alternate  methodology  to  recover  the  secret  with 
less-than-expected  available  information.  It  effectively  reduces  the  evaluation  of  the  monic 
polynomial  to  O(n),  since  only  linear  algebra  is  involved.  The  objective  of  reducing  the 
linearity  is  due  to  the  fact  that  linear  equations  are  easier  to  solve,  which  is  the  main  moti¬ 
vation  behind  cryptanalysts’  desire  to  approximate  non-linear  components  with  linear  ones. 

Although  the  coefficients  could  be  generated  randomly,  from  a  security  perspective,  the 
level  of  security  can  be  elevated  by  carefully  choosing  the  coefficients  of  the  generated 
polynomial.  For  improved  security,  the  dealer  should  avoid  generating  the  polynomial 
using  successive  binomial  integers  as  its  polynomial  coefficients.  This  further  amplifies  the 
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importance  of  the  dealer  when  generating  the  polynomial  for  secret  sharing. 


35 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


36 


CHAPTER  6: 
Conclusion 


6.1  The  Perfect  Secret  Sharing  Scheme 

A  lot  of  research  has  focused  on  the  creation  of  a  perfect  secret  sharing  scheme.  There  are 
no  known  weaknesses  of  Shamir’s  Secret  Sharing  Scheme,  other  than  the  computational 
inefficiency  if  the  generated  polynomial  comprises  large  degrees.  While  many  improvised 
secret  sharing  schemes  have  proven  more  effective  than  SSSS,  they  have  only  been  better 
under  certain  parameters;  there  is  always  a  trade-off  with  some  parameter  of  the  scheme. 

6.2  Future  Work 

Further  research  can  be  done  in  the  following  fields  to  enhance  the  efficiency  of  the  current 
SSSS. 

6.2.1  Ramp  Secret  Sharing 

Ramp  secret  sharing  involves  the  gradual  leakage  of  information,  subjected  to  a  dealer¬ 
generated  polynomial  of  degree  (t  + 1  —  1),  where  t  participants  have  no  information  at  the 
beginning.  As  each  additional  share  is  leaked  subsequently,  the  bits  of  information  that  can 
be  deciphered  per  share  is  calculated  to  be  equal  to  logq  bits.  This  means  that  only  ( t  +  /) 
participants  can  recover  all  secrets.  This  is  also  known  as  a  (t,  t  + 1,  n)  ramp  scheme,  where 
n  <  q  —  l. 


If  the  dealer-generated  polynomial  in  ramp  secret  sharing  schemes  can  also  be  reduced  to 
the  generalized  form  f(x)  =  (v+  a)k  —  bo  or  the  equivalent,  then  it  may  prove  to  be  suf¬ 
ficient  to  obtain  just  two  shares,  and  the  secret  can  be  recovered  easily  through  exhaustive 
means  of  substituting  the  value  of  a. 

6.2.2  Prime  Numbers  as  Polynomial  Coefficients 

The  dealer-generated  polynomial  comprises  random  integer  coefficients.  An  in-depth 
research  of  prime  coefficients  may  yield  different  approaches  to  recovering  the  secret 
because  the  monic  polynomial  now  cannot  be  easily  reduced  to  the  generalized  form 
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f(x)  —  (x  +  a)k  —  bo  or  the  equivalent,  since  each  of  the  prime  coefficients  (pi,P2,  •  •  • ,  pn) 
can  only  yield  0  when  performing  mod  (pi,p2,  •  •  •  ,pn),  respectively. 

6.2.3  Composite  Functions  of  Polynomials  and  the  Fundamental  The¬ 
orem  of  Algebra 

In  Section  2.3,  the  composite  function  of  f(x)  =  h(x)  og(x)  was  mooted  as  an  alternate 
form  to  simplify  the  mechanics  of  SSSS.  The  function  g(x)  was  assumed  to  be  linear,  and 
hence,  allowed  the  generalised  form  upon  which  this  thesis  analysis  is  based.  Consider  the 
alternate  form  where  the  dealer-generated  polynomial  h(x)  can  be  expressed  in  the  form 
f{x)  —  ciq  x  (x  —  a)k  x  (x  —  /3  )k,  by  applying  another  linear  function  y(.r).  This  is  also 
known  as  the  Fundamental  Theorem  of  Algebra. 
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APPENDIX:  Diffie-Hellman  Key  Exchange 


A.l  What  Is  Diffie-Hellman  (D-H)  Key  Exchange? 

In  cryptography,  Diffie-Hellman  (D-H)  key  exchange  is  an  encryption  algorithm  that  is 
implemented  to  establish  a  secret  between  two  parties.  This  form  of  key  exchange  is 
very  prevalent  in  real-world  symmetric  encryption  algorithms  such  as  the  Rivest-Shamir- 
Adleman  (RSA)  algorithm.  It  is  a  specific  method  of  exchanging  cryptographic  keys  over 
a  public  channel,  but  is  only  decipherable  by  the  relevant  parties. 

The  mechanics  of  the  D-H  key  exchange  is  illustrated  as  such: 

•  Say  Albert  and  Bernard  wanted  to  establish  a  secret  s,  among  themselves,  but  do  not 
want  anyone  else  to  know  about  the  secret. 

•  First,  both  parties  have  to  agree  on  a  prime  number  p,  and  a  base  g.  Note  that  g  is  a 
primitive  root  modulo  p. 

•  Albert  then  chooses  a  secret  integer  a,  which  only  he  himself  knows,  and  computes 
A  =  ga  (mod  p). 

•  Bernard,  like  Albert,  also  chooses  a  secret  integer  b,  which  only  he  himself  knows, 
and  computes  B  =  gb  (mod  p). 

•  Albert  then  sends  the  value  of  A  to  Bernard,  and  likewise,  Bernard  sends  the  value  of 
B  to  Albert. 

•  To  recompute  the  shared  secret  s ,  Albert  computes  s  —  Ba  (mod  p),  and  likewise, 
Bernard  computes  s  =  Ah  (mod  p)  to  obtain  the  secret  5. 

This  algorithm  is  secure  because  the  values  of  a  and  b  are  secure  and  known  only  to  the 
relevant  parties.  All  other  values  can  be  sent  in  the  clear,  and  potentially  be  intercepted  by 
other  eavesdropper  parties,  but  the  eavesdropper  parties  will  not  be  able  to  decrypt  the  code 
due  to  the  lack  of  knowledge  of  a  and  b. 

A.1.1  Example 

•  Albert  and  Bernard  agree  on  p  =  23,  and  g  =  5,  where  5  is  a  primitive  root  modulo 
23. 


39 


•  Albert  chooses  secret  integer  a  =  9,  and  computes  A  =  ga  (mod  p)  =  5 9  (mod  23)  = 
12. 

•  Bernard  chooses  secret  integer  b  —  13,  and  computes  B  =  gb  (mod  p)  —  5 13 
(mod  23)  =  2. 

•  Albert  sends  A  =  12  to  Bernard,  and  receives  B  —  2  from  Bernard. 

•  Albert  then  recomputes  the  secret  s  =  Af'  (mod  p)  =  29  (mod  23)  =  6,  and  Bernard 
computes  the  secret  s  —  Ah  (mod  p)  =  1213  (mod  23)  =  6. 

The  secret  5  =  6  can  then  be  used  as  an  encryption  key  (which  is  only  known  to  the  both  of 
them)  to  send  messages  across  open  communications  channels. 

The  D-H  key  exchange  algorithm  works  because  of  the  properties  of  modulo  exponents: 

Ab  (mod  p)  —  (ga  (mod  p))bmodp  =  gab  (mod  p), 

Ba  (mod  p)  =  ( gb  (mod  p))amodp  =  gba  (mod  p), 
gab  (mod  p)  —  gba  (mod  p). 

Note  that  for  this  key-exchange  algorithm  to  work,  the  base  g  must  be  chosen  to  be  a 
primitive  root,  or  a  generator  of  prime  p. 
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